Digital Privacy and the Right to be Protected

Is digital privacy a right or privilege for individuals? The answer depends on various factors, including regional regulations, geography, culture, and financial agreements between users and services. These are just a few of the considerations that may influence one’s viewpoint on the desirable, expected and demanded level of digital privacy.

Despite such differences, there is a growing public concern about digital privacy. People are starting to realize how difficult it is for the average person to keep track of what sensitive information has been collected about them and who has access to it. Moreover, the digital footprint of an individual is steadily growing like a ripple effect, spreading to untraceable corners of the Internet. The ways that information can be used (legitimately or maliciously), shared, monetized, combined, correlated and mined may potentially lead to unintended, or even catastrophic, consequences for an individual’s personal and financial well-being as well as for society as a whole.

Our digital privacy is at risk in unprecedented ways. Personal data can affect our reputations, it can be used to exercise control over us and in the wrong hands, it can cause great harm. People need a partner to safeguard their identity and defend them from nefarious actors. They need help identifying the important elements of their digital life that need to be kept private and secure.

Since its inception, Symantec has built the company on protecting people and companies online, and now Symantec Research Labs (SRL) has made privacy and identity one of its central research pillars. SRL is building a new Privacy Lab in Germany dedicated to the technological advancement of digital privacy.  We believe it is imperative to research the potential negative uses and long-term consequences of the collection, use and monetization of personal data online. It’s time for the industry to proactively tackle technological and ethical standards for the use of people’s personal identifying information.

Web Services – and their Discontents

Let’s consider one of the most widely used services worldwide - the Web.

Web services have become so central to people’s lives that many consider them an essential utility. An initial assessment of the current Web tracking landscape paints a bleak picture. SRL and other researchers have confirmed that third-party software is embedded in the most popular websites, monitoring people’s visits and activity by using incredibly intrusive methods to identify and track individuals. Even when anti-tracking techniques are deployed, trackers have devised creative schemes to bypass them and continue monitoring user behavior.

To make matters worse, the most popular third-party trackers (covering 91% of the Alexa-500 most popular websites) share data with each other and are owned by a handful of companies, giving unprecedented levels of detailed information on individuals to a concentrated group of companies. Yet, most consumers are not aware this is happening, nor have they given permission for their information to be used this extensively.

Web behavior tracking and data collection in the name of “service personalization” is only the beginning of how people’s personal information is gathered and monetized. The ubiquitous presence of mobile and smart devices, the increased adoption of IoT, the new mobile paradigm introduced by 5G, and changes in everyday life automation technology (e.g., home assistants, autonomous cars, fitness/health trackers, etc.) offer an unending stream of incredibly sensitive data with no standards around privacy, safety, and security of that data.

The frequency of data leaks, exploits and vulnerabilities from connected devices significantly raises the risks for both consumers and enterprises. In some extreme cases, sensitive groups, such as victims of domestic violence or human rights activists, depend on digital privacy to keep their families and homes safe.

As Artificial Intelligence (AI) and Machine Learning (ML) programs use aggregated personal data and behavior analytics to build and train algorithms for personalized services, retrieving personal data becomes extremely difficult. Even in cases where the raw data is protected (or even deleted), sensitive information has already been embedded into the trained model.

ML techniques vary in their ability to resist attacks targeted at harvesting the original information from the trained model. In certain cases, model inference/extraction attacks are successful in revealing portions or even the entirety of the original data. Such examples demonstrate the complexities and challenges in building privacy-preserving technology. Individuals can be exposed to implicit privacy threats that are beyond their control or understanding. 

These serious (yet obscure) threats need to be addressed by the entities capable of protecting users. For instance, the “right to be forgotten” has been legislated in many places but does not explicitly address such subtle aspects of personal data usage. Symantec Research Labs intends to dive into these discrepancies and discover potential solutions.

Curated personal content from Web or social media sources has already been used to influence public opinion on important matters, such as elections, and steer individual behavior and decisions with personalized information that may or may not be true, as in the case of Cambridge Analytica.

Organizations seeking to undermine democracy can use the data to promote or silence opinions. More recently, monitoring people’s online behavior has been proposed by such governments as a key feature contributing to a “social credit score”, that will be used as a metric for eligibility to various benefits. All of these misuses underscore the urgent need for people to take back privacy control and mitigate threats to their private information.

Understanding Security Implications

But the threats are not just to consumers.

Enterprises, governments, and all organizations also have sensitive information that can be hacked.  Businesses that operate utilizing sensitive data are at risk themselves of legal and financial repercussions. Enterprises must face their responsibilities to ensure business success while securing their assets and preserving privacy for customers and employees. Data inspection, data loss prevention, anomaly and insider threat detection are just a few examples of critical security operations that enterprises must take on in a responsible and accountable way. Furthermore, enterprises must consider how to comply with regulation standards, such as GDPR, while proactively anticipating emerging threats, such as AI and ML attacks.

The privacy and identity threat landscape is evolving rapidly, and it’s difficult for businesses or consumers to track and fully comprehend the implications. SRL’s Privacy Lab will help both consumers as well as organizations navigate this ever-morphing landscape.

We must begin by making people aware of the ways their privacy is at risk and enable them to make wise decisions. Safeguarding people's digital life requires empowering them with visibility and control over the ways in which their private information is being collected, secured, shared and analyzed by parties they know about as well as third-parties that people may not know have access to individuals’ personal data. 

Symantec Research Labs has a long history of employing cutting-edge technology to protect individuals, companies, and data in a privacy preserving manner. With the new Privacy Lab in Germany, we believe digital privacy is a right for consumers. Therefore, we aim to help companies not only manage compliance on data protection regulations, but also become reliable stewards of the data they’ve been entrusted with by consumers and businesses. Our goal is to revolutionize privacy technology so people can reclaim control of their privacy and personally identifiable data.